Search in:

Simple secret to foiling credit card fraud

Aleisha Orr

Consumers are being warned about fraud possibilities with pay-and-go credit cards.

Good quality tin foil could be the difference between losing money to credit card fraud or keeping your cash secure.

Contactless card technology might make going through the checkout slightly faster but it also exposes people as it can be used by fraudsters to covertly steal money from a card while it is in a pocket or handbag.

Edith Cowan's digital forensics lecturer Peter Hannay said that while Mastercard was not aware of any cases happening he would not be surprised if it was happening but there were ways to protect yourself.

Contactless cards have several different names but they are bank cards that are placed next to a machine in order to carry out a quick transaction - rather than swiping or inserting the card.

Advertisement

Mr Hannay said ECU research showed it was possible for people to use technology to interact with the radio frequency identification microchip that makes the contactless cards work.

He believed current technology would allow interaction within close proximity of those carrying the tap-and-go cards, which would allow card details to be obtained.

The technology required would be obvious but could be hidden within a large briefcase.

“Brushing up against someone on a train, it’s not difficult to achieve on a train in peak hour, it’s not that obvious,” Mr Hannay said.

He said employing the technology from a distance of several metres would require much larger and obvious antennas.

Mr Hannay said the only thing that could block signals between contactless bank cards and other devices was magnetic metal.

He suggested good quality foil, not the cheap stuff found in local supermarkets, was best to use.

Several products were already on the market, such as shields or sleeves, and they had tested well.

Mr Hannay said that while he did not expect technology to make it any easier for criminals to access people’s bank cards, he did expect such fraud cases to become more common as the technology was embedded in new cards.

"A couple of my colleagues who have got new cards have asked about it and they've been told that if they want a bank card, they have no choice," Mr Hannay said.

Mastercard Australasia’s head of global fraud management Joseph Vukasovic said the company had not been made aware of any incidents of electronic pick-pocketing anywhere in the world.

He said that data drawn from a card in someone’s pocket was “effectively rendered useless” because additional information was required to use those details to make an online purchase, including the CVV code.

While major retailers and most other online outlets require the buyer to enter the CVV code to make a purchase, not all do.

Mr Vukasovic questioned why thieves would go to such lengths to obtain details from a card electronically.

“Every time you shop, that data is on there anyway, why would someone invest so much to get these details that are available to anyone who sees that card,” he said.

Mr Vukasovic said technology called CVC3 was built into the chip to increase a card's security.

Mastercard’s security factsheet on their PayPass technology describes how the CVC3 technology makes it nearly impossible to “replay transactions because a code that accompanies an authorisation request changes every time an authorisation request is made”.

“There is a discrete authentication code that changes after each transaction," the factsheet states.

“Without the proper code the transaction will not be authorised.”

WA Police did not respond to questions in regard to the matter of cyber pick-pocketing.

8 comments so far

One of the most frustrating aspects of credit card fraud is that banks will not disclose _how_ thieves were able to misuse one's card. We lost nearly $5K (refunded by the ANZ: thank you!) but the bank's reluctance to disclose just _how_ that happened means we may *still* be vulnerable... .

Commenter

Card Issues

Location

SWWA

Date and time

June 19, 2014, 9:12AM

@Card Issues,

They may not know. The bank does not receive much information initially about a card transaction, beyond the merchant information, transaction time, type (online, card present) and authorisation codes (i.e. card number, expiry, CVV if required). When you enter into the dispute, they will request supporting documentation from the merchant via mastercard/visa (a laborious process, I used to hate working on disputes). Often this doesn't amount to much, especially if it is an online transaction.

The point I am making is that you're expecting the bank to know something it actually can't find out. How did the fraud occur? Have you ever entered your card details to make a purchase online? That site may have been hacked or your connection snooped. Someone may have taken a surreptitious photo of your card, merchant or otherwise. All of these things are out of the bank's influence and literally unknowable to them.

Commenter

Cheese

Date and time

June 19, 2014, 10:40AM

Thanks for that clarification, Cheese. I guess the point I was hinting at is that _banks_ should be advising us more regarding security. What R & D is being undertaken to protect us? What advice is then provided to card users? If tinfoil really is as protective as claimed, shouldn't our bank(s) be circulating this information, rather than the universities... and online media?

Commenter

Card Issues

Location

SWWA

Date and time

June 19, 2014, 12:14PM

Maybe Peter Hannay should consider using this super tin foil for his hat.

Commenter

The Doktor

Location

Perth

Date and time

June 19, 2014, 10:34AM

Customers have no say in what reductions of security accompany the issue new cards, like these swipe cards or where no pin is required on transactions and the Banks say they will cover fraud loss due to these changers but I have heard from people that have had their accounts milked &that it can take Banks up to 3 months to return the money to the Account. I don’t keep any balance in card connected accounts, I just transfer amount needed daily. But I must give credit to the security on the use of my cards these days. In the last 2 years I have ever received a phone calls from Bank asking about attempted Purchases using my card Abroad .Or local Purchases & online purchases that were not the type of things I would Purchase . Last year I went to Melbourne and on pension day went to Auto Teller for cash and instead got message to call Card dept at Bank. Called and me being in Melbourne was not normal behavior. Next day I went to do online transactions in my accounts , A message to phone the Bank , I was accessing from a computer other than my normal computer or a computer in areas whey they knew i visited by card use. So the fact I don't keep money in accounts lined to card , the Bank has looked after me and having to phone them not much of an inconvenience, and having my card cancelled & replaced a few times a minor inconvenience. Customers should be able to turn on & off these no pin number facilities. I prefer to have to use a pin to use my card.

Commenter

RonaldR

Location

Cockburn Central

Date and time

June 19, 2014, 12:19PM

One thing I have found by experience is that it seems impossible for the reader to read your if there is there more than one adjacent to each other - I found this by trying to scan my wallet without taking the card out, numerous times without a successful read.I think some real testing should be undertaken to avoid scams such as "electric eel leather wallets" and the such.

Commenter

Skeptic

Location

Perth

Date and time

June 19, 2014, 3:18PM

Lol, maybe the tin hat brigade weren't so crazy after all.

Commenter

Ryan

Date and time

June 19, 2014, 3:36PM

When I was issued with new cards a few years back I asked if I could have paypass disabled (as I saw the possible issues with a stolen card), the bank advised me it was not possible. Am I crazy to suggest we might have an option when new cards are issued to have paypass cards or ones without? Am I not seeing the big picture? No paypass/paywave on a stolen card and its use (and associated fraud cost to bank) is vastly reduced prior to notification to cancel it. Yeah its nice and easy to tap and go, but who really needs it?